diff options
| author | Josh Boyer <jwboyer@fedoraproject.org> | 2016-03-29 14:22:22 -0400 |
|---|---|---|
| committer | Josh Boyer <jwboyer@fedoraproject.org> | 2016-03-29 14:22:22 -0400 |
| commit | ed12bfb0f64b462b19bc2cf310de73b6fef932b8 (patch) | |
| tree | c84c9688cca132e2c5ecf5a10604b54bf0f72a60 | |
| parent | 713244c6fcdf9e26913e89e7f35bbfefd4823fe4 (diff) | |
| download | kernel-ed12bfb0f64b462b19bc2cf310de73b6fef932b8.tar.gz kernel-ed12bfb0f64b462b19bc2cf310de73b6fef932b8.tar.xz kernel-ed12bfb0f64b462b19bc2cf310de73b6fef932b8.zip | |
CVE-2016-3157 xen: priv escalation on 64bit PV domains with io port access (rhbz 1315711 1321948)
| -rw-r--r-- | kernel.spec | 6 | ||||
| -rw-r--r-- | x86-iopl-64-Properly-context-switch-IOPL-on-Xen-PV.patch | 96 |
2 files changed, 102 insertions, 0 deletions
diff --git a/kernel.spec b/kernel.spec index 9e54aaa21..09a63d68c 100644 --- a/kernel.spec +++ b/kernel.spec @@ -671,6 +671,9 @@ Patch686: input-gtco-fix-crash-on-detecting-device-without-end.patch #CVE-2016-3136 rhbz 1317007 1317010 Patch687: mct_u232-sanity-checking-in-probe.patch +# CVE-2016-3157 rhbz 1315711 1321948 +Patch688: x86-iopl-64-Properly-context-switch-IOPL-on-Xen-PV.patch + # END OF PATCH DEFINITIONS %endif @@ -2192,6 +2195,9 @@ fi # # %changelog +* Tue Mar 29 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-3157 xen: priv escalation on 64bit PV domains with io port access (rhbz 1315711 1321948) + * Tue Mar 29 2016 Justin M. Forbes <jforbes@fedoraproject.org> - Turn off DEBUG_WX (rhbz 1318599) diff --git a/x86-iopl-64-Properly-context-switch-IOPL-on-Xen-PV.patch b/x86-iopl-64-Properly-context-switch-IOPL-on-Xen-PV.patch new file mode 100644 index 000000000..38f7bfbb0 --- /dev/null +++ b/x86-iopl-64-Properly-context-switch-IOPL-on-Xen-PV.patch @@ -0,0 +1,96 @@ +From b7a584598aea7ca73140cb87b40319944dd3393f Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski <luto@kernel.org> +Date: Wed, 16 Mar 2016 14:14:21 -0700 +Subject: [PATCH] x86/iopl/64: Properly context-switch IOPL on Xen PV + +On Xen PV, regs->flags doesn't reliably reflect IOPL and the +exit-to-userspace code doesn't change IOPL. We need to context +switch it manually. + +I'm doing this without going through paravirt because this is +specific to Xen PV. After the dust settles, we can merge this with +the 32-bit code, tidy up the iopl syscall implementation, and remove +the set_iopl pvop entirely. + +Fixes XSA-171. + +Reviewewd-by: Jan Beulich <JBeulich@suse.com> +Signed-off-by: Andy Lutomirski <luto@kernel.org> +Cc: Andrew Cooper <andrew.cooper3@citrix.com> +Cc: Andy Lutomirski <luto@amacapital.net> +Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> +Cc: Borislav Petkov <bp@alien8.de> +Cc: Brian Gerst <brgerst@gmail.com> +Cc: David Vrabel <david.vrabel@citrix.com> +Cc: Denys Vlasenko <dvlasenk@redhat.com> +Cc: H. Peter Anvin <hpa@zytor.com> +Cc: Jan Beulich <JBeulich@suse.com> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Thomas Gleixner <tglx@linutronix.de> +Cc: stable@vger.kernel.org +Link: http://lkml.kernel.org/r/693c3bd7aeb4d3c27c92c622b7d0f554a458173c.1458162709.git.luto@kernel.org +Signed-off-by: Ingo Molnar <mingo@kernel.org> +--- + arch/x86/include/asm/xen/hypervisor.h | 2 ++ + arch/x86/kernel/process_64.c | 12 ++++++++++++ + arch/x86/xen/enlighten.c | 2 +- + 3 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/xen/hypervisor.h b/arch/x86/include/asm/xen/hypervisor.h +index 8b2d4bea9962..39171b3646bb 100644 +--- a/arch/x86/include/asm/xen/hypervisor.h ++++ b/arch/x86/include/asm/xen/hypervisor.h +@@ -62,4 +62,6 @@ void xen_arch_register_cpu(int num); + void xen_arch_unregister_cpu(int num); + #endif + ++extern void xen_set_iopl_mask(unsigned mask); ++ + #endif /* _ASM_X86_XEN_HYPERVISOR_H */ +diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c +index b9d99e0f82c4..9f751876066f 100644 +--- a/arch/x86/kernel/process_64.c ++++ b/arch/x86/kernel/process_64.c +@@ -48,6 +48,7 @@ + #include <asm/syscalls.h> + #include <asm/debugreg.h> + #include <asm/switch_to.h> ++#include <asm/xen/hypervisor.h> + + asmlinkage extern void ret_from_fork(void); + +@@ -411,6 +412,17 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) + task_thread_info(prev_p)->flags & _TIF_WORK_CTXSW_PREV)) + __switch_to_xtra(prev_p, next_p, tss); + ++#ifdef CONFIG_XEN ++ /* ++ * On Xen PV, IOPL bits in pt_regs->flags have no effect, and ++ * current_pt_regs()->flags may not match the current task's ++ * intended IOPL. We need to switch it manually. ++ */ ++ if (unlikely(static_cpu_has(X86_FEATURE_XENPV) && ++ prev->iopl != next->iopl)) ++ xen_set_iopl_mask(next->iopl); ++#endif ++ + if (static_cpu_has_bug(X86_BUG_SYSRET_SS_ATTRS)) { + /* + * AMD CPUs have a misfeature: SYSRET sets the SS selector but +diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c +index 2c261082eadf..8381fb990c7f 100644 +--- a/arch/x86/xen/enlighten.c ++++ b/arch/x86/xen/enlighten.c +@@ -961,7 +961,7 @@ static void xen_load_sp0(struct tss_struct *tss, + tss->x86_tss.sp0 = thread->sp0; + } + +-static void xen_set_iopl_mask(unsigned mask) ++void xen_set_iopl_mask(unsigned mask) + { + struct physdev_set_iopl set_iopl; + +-- +2.5.5 + |